For anyone working on a fraud or security team in a fast-growing company, striking a balance between ensuring account security while also maintaining a positive user experience(UX) is one of the hardest parts of the job. If you prioritize a seamless login or registration experience, attackers get through too easily. If you prioritize stringent security measures, users abandon out of frustration, and conversion rates drop. You come to accept that there are tradeoffs.
How do you bridge the gap and find the best of both seamless user experience and strong account security?
We’ve gathered the most frequently asked questions around this topic and proven strategies to prevent attacks without causing frustration to good users.
Q: Why are digital accounts increasingly vulnerable to attackers today?
A: Today’s attackers treat fraud as a full-time job. With the growing number of data spills continuing to occur, attackers are able to perform their attacks much cheaper and easier than before which increases profits in the end. ATO has become a low point of entry for an attacker and with profits increasing, attackers are more motivated than ever before. Because businesses can’t outright block potential attacks without sacrificing user experience, attackers are able to disguise themselves as good users to compromise existing accounts or leverage fake accounts for monetary gain. Between gaps in security measures and monetary motivation, attacks on accounts continue to proliferate the attack landscape and continue to be one of the fastest growing forms of cybercrime in existence.
Q: How do you approach balancing security without damaging growth?
A: Long-standing bot solutions add to long-term costs as they are currently failing to stop all attacks and add unnecessary friction that disrupts user experience (UX). Discontented users may switch over to competing businesses resulting in customer churn and loss of revenues. Businesses need to adopt a targeted approach to friction that rewards good users and pressures risky traffic. At the point of login and registration, only suspicious traffic should be required to prove their trustworthiness while good users face little-to-no friction. Security solutions should focus more on risk detection that uncovers fraudulent intent without punishing good users in order to improve customer throughput.
Q: Which business roles and functions are concerned with account security and UX?
A: Fraudsters will look for any weak link in the customer experience that they can exploit. They understand how security teams are typically organized and what tools are used. They don’t care who owns the security measures, simply how they can bypass them. In this sense, fraud, identity, and security teams need to better integrate and work in tandem to help create a more holistic security posture in the fight against attacks. As growth teams drive toward a frictionless experience and security teams drive toward greater defense, these teams need to include each other in their strategies.
Q: How do businesses set up their teams successfully to work across functions?
A: With the growing sophistication of attackers, security teams are kept on their toes and are called to strengthen their approach to fighting cybercrime more than ever. Trust and safety teams need to establish close partnerships and define key metrics from growth teams to ensure a balance between account security and overall growth. Now is the time to strengthen the communication between security teams and develop a solution that grows with the fraud landscape without affecting good user throughput.
Q: What are the key metrics to monitor to maintain the balance?
A: Businesses are most successful when attack rates are low while maintaining high rates of customer throughput (99% or higher), reducing false positives and false negatives, and keeping interdiction rates to a minimum. Outright blocking potentially risky traffic isn’t a successful security strategy because it results in some good users being without access, leading to damaged customer throughput and user dissatisfaction. On the other hand, focusing too much on ease of access allows attackers to seep through as they become more advanced and harder to detect. However, attacks can still seep under the radar. If attacks are still getting through, a key place to monitor is on login and registration touchpoints where businesses should aim to detect signs of fraudulent intent before attacks happen.
Q: What are the UX challenges with using MFA in account security?
A: Using MFA causes problems with user experience and customer throughput by being a high-friction solution. Customers are slowed down due to out-of-band authentication methods which leads to users opting out of the process. Adoption of many industries is as low as 5%. As well, it requires extra time and effort to educate users and entice them to adopt MFA when consumers are not willing to sacrifice convenience for account security.
Q: What is the role of invisible risk screening in account security and UX?
A: Invisible risk screening technology has come a long way in device, IP, and network fingerprinting capabilities. The use of behavioral biometrics has also become more and more accurate in distinguishing between potentially risky traffic and good users. Invisible screening and behavioral biometrics make it possible to deter risky traffic while good users can access their accounts easily and without excessive friction. This also empowers companies to avoid false positives — blocking good users — and false negatives — attacks getting through. This allows companies to maintain a positive UX while also guaranteeing account security.
Q: What is the role of user challenges in account security and UX and how can businesses make these challenges more customer-centric?
A: We want more friction – said nobody ever. However, secondary screening can play a useful role in decreasing the risk of false positives, false negatives, and inconclusive signals. Challenges can be used to validate suspicious traffic, looking for telltale signs of bot or human fraud farm activity. That being said, it is important that these challenges are highly targeted and focus on malicious or high-risk activity as not to affect a user’s ability to pass through effortlessly. In some industries like banking, however, authentication measures may provide users a sense of trust in the company knowing that security measures are in place to protect their information. If a user should show suspicious signals, the most important thing is ensuring challenges are easy for the majority of individuals to solve. For instance, at Arkose Labs, 98% of good users that see a challenge pass on the first try. The key is to stop treating customers like criminals and establish a system that serves the appropriate step-up measure for the riskiness of the user’s behavior.
Q: Is friction bad?
A: Not all friction is bad, but it needs to be targeted. Consumers have become accustomed to image- and text-based verification measures in their login and checkout processes. However, they’re still frequently frustrating users who struggle to pass the challenges. When challenges are targeted to only suspicious traffic, you can reduce steps to login and registration while maintaining a level of defense against malicious traffic. Digital businesses can slowly remove friction without customers noticing, so all they know is a smooth and easy experience. For instance, Roblox had faced challenges with friction and user throughput but found in an A/B/C test that the Arkose Labs solution had zero reduction in conversion vs. a 9.8% forfeit of throughput with reCAPTCHA. Therefore, as long as friction is used specifically for suspicious traffic, companies can see a significant improvement in customer throughput without sacrificing security.
Q: How do we better distinguish human-driven attacks from good humans?
A: Human attackers aim to slip under the radar by behaving like genuine users, making detection of these attackers more difficult. Human attackers often try to perform attacks at scale on multiple different devices at once. Thus, businesses need advanced behavioral analytics, including behavioral biometrics (keystroke, accelerometer, speed, etc.), shared intelligence across a network on previous devices linked to attacks, and a step-up strategy to challenge high-risk behavior without outright blocking users.
As digital businesses continue to grow in number, the fraud landscape becomes more difficult for companies to navigate. Businesses shouldn’t have to choose between security and UX and should opt for a strategy that prioritizes risk decisioning and targeted enforcement challenges. Rather than blocking potentially harmful traffic or adopting a system that over-complicates the login process, security measures should be more user-centric while maintaining a low rate of attack. At Arkose Labs we believe that authentication measures can and should be equally as friendly for users as it is strong on account security. That’s why our platform offers intelligent risk detection and a targeted friction approach for long-term attack prevention. To learn more, register for a demo here.